fix(ci): upgrade npm to 11.5.1+ for OIDC trusted publishing

Node 22 ships with npm 10.x, which does not know how to exchange the GitHub OIDC id-token for a short-lived npm token. Without this upgrade, the publish step silently falls back to the empty NODE_AUTH_TOKEN that setup-node writes to .npmrc, and the registry returns 404. First test publish (v0.7.4-rc.0) failed at exactly this point, even though provenance signing via sigstore succeeded, confirming the OIDC handshake with GitHub was fine and only the npm-side auth was broken. Fix: `npm install -g npm@latest` before the publish step. Adds ~5s to runtime.
2026-05-19 07:43:09 +00:00 · 2026-04-18 09:33:52 -07:00 · 2026-04-18 09:33:52 -07:00 · 832dd4ada1
commit 832dd4ada1
parent bed772b6a5
1 changed files with 7 additions and 0 deletions
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@ -28,6 +28,13 @@ jobs:
          node-version: '22'
          registry-url: 'https://registry.npmjs.org'

+      - name: Upgrade npm for trusted publishing
+        # Node 22 ships with npm 10.x; npm OIDC trusted publishing requires
+        # npm 11.5.1+. Without this, the publish step silently falls back
+        # to the empty NODE_AUTH_TOKEN written by setup-node and the
+        # registry returns 404.
+        run: npm install -g npm@latest
+
      - name: Verify tag matches package.json
        run: |
          TAG_VERSION="${GITHUB_REF#refs/tags/v}"